Herodotus: a banking trojan that exposes the limits of an antivirus

A new Android banking Trojan, Herodotus, has been circulating in recent weeks. Offered as Malware-as-a-Service (MaaS), it disguises itself as a legitimate application to convince users to install an APK. Once installed, it requests sensitive permissions and can take control of the device to perform banking operations on behalf of the user.

A modern mobile attack, yet once again, largely invisible to most traditional antivirus solutions.

Herodotus in brief

The banking trojan spreads through SMS phishing links that redirect users to a fake page prompting them to download an application. The victim then installs an APK outside the Play Store.
Once installed and granted permissions, Herodotus requests critical permissions (including Accessibility), overlays fake screens on top of legitimate applications to deceive the user, and can capture the screen and keystrokes. Its goal is session takeover, which is performing operations while the victim is actively logged in.

To bypass anti-fraud systems, Herodotus “humanizes” its actions with random delays, micro-movements, and realistic typing patterns to make automation much more difficult to detect

Why an antivirus isn't enough

The Pradeo team searched for the malware in the database of a leading antivirus provider : no alert was raised on the application’s content. In other words, the antivirus failed to flag the malicious applicatio, even though it clearly appears as such when searched for using a simple search engine.

This can be explained by how antivirus solutions work, they rely mainly on known signatures and previously observed behaviors. A malicious application obtained through SMS phishing and installed outside the Play Store may easily go undetected if its code is new and its dangerous actions are only triggered after installation and permission approval.

Effective detection, in this case, depends on chaining multiple indicators of compromise : a suspicious SMS link leading to an unknown source, installation from outside the store, critical permission requests, followed by visible signs such as screen overlays, simulated interactions, or screen captures.
Individually, these signals may seem harmless, but together, and in their sequence, they clearly reveal an ongoing attack that an antivirus can easily miss.

How Pradeo Mobile Threat Defense blocks the attack

Unlike an antivirus, a Mobile Threat Defense (MTD) solution observes the real behavior of the device and acts at every stage of the attack chain:

1. Phishing link blocking:
   Thanks to the anti-phishing module built into the Pradeo Security application, access to the malicious page is directly prevented. The user never reaches the download page and therefore cannot retrieve the APK.
   
   
2. Prevention of risky installations :
   Pradeo Mobile Threat Defense detects that an application originates from an unknown source and immediately alerts the security team to prevent potential compromise.
   
   
3. Monitoring of permissions and behaviors :
   • When an application requests critical permissions (such as Accessibility), Pradeo Mobile Threat Defense flags it as potentially malicious and quarantines it, preventing any device takeover or intrusive actions.
   • Our solution also monitors UI and system behaviors (overlays, simulated taps, abnormal network activity). At the first sign of a malicious overlay, access to sensitive applications is immediately blocked.

The Herodotus case clearly illustrates that antivirus solutions are not suited to modern mobile threats, which combine social engineering, off-store installations, and abuse of sensitive permissions.
To effectively protect collaborators and corporate data, deploying a Mobile Threat Defense (MTD) solution is now essential.